Central bank warns of cyberattack vulnerabilities in financial sector

OTTAWA — Canada’s interconnected banks are vulnerable to a cascading series of cyberattacks that could undermine broad confidence in the financial system, the Bank of Canada warns.

The structural vulnerability could allow for the easy spread of an initial attack that ripples into other sectors such as energy or water systems, says the bank’s June financial review.

The report urges banks to co-operate on countering the threats that are not going away any time soon.

The former head of the U.S. National Security Agency made the same recommendation earlier this month, saying private-sector companies — including banks — have to do a better job of sharing data on attempted hacks in real time to counter the ongoing challenge.

Retired Gen. Keith Alexander told a defence industry trade show that banks have valuable metadata on attempted hacks embedded in the logs of their firewalls and sharing that information can allow them to more successfully fend them off.

Alexander suggested the 2014 cyberattack on the American bank JPMorgan Chase that affected an estimated 80 million accounts could have been prevented if banks had shared information.

Canada’s central bank expressed a similar concern in its most recent update.

“The interconnectedness of the financial system could lead to rapid transmission of stress from a cyberattack,” the report said.

“This is a structural vulnerability that is unlikely to go away. And because of the interconnections in the system, the public sector has a role in co-ordinating cyber defences.”

While those same connected platforms allow the financial services sector to deliver efficient service, they also leave several sectors of the economy vulnerable to attack, said the bank’s report.

“Contagion could occur through financial interconnections or common critical infrastructures in non-financial sectors, such as telecommunications, energy and utilities,” it said.

“A prolonged interruption in financial services, compromised data integrity or a loss of confidence could harm the financial system with knock-on effects to the real economy.”

There were eight high-profile cyberattacks on banks in 2016, the report said, including an $81-million heist at the Bangladesh Bank.

The report urges private-sector players to work together because protecting against an attack “has benefits beyond an individual institution and can be considered a public good.”

The Canadian Bankers Association said recently that its members “constantly update their security systems and protocols to stay ahead of potential threats.” The association urged customers to avoid opening suspicious emails and exposing themselves to ransomware, malicious software that locks a user out of their data and demands a ransom for its release.

“Canadian banks are leaders in cybersecurity and continue to invest in cybersecurity infrastructure to protect the financial system and the personal information of their customers from cyber threats,” the association said in a May 31 statement.

However, the federal government has expressed concerns.

Public Safety Minister Ralph Goodale is mindful of cybersecurity in the financial sector, making a point of meeting on the issue in London last year with former Canadian colleague Mark Carney, now governor of the Bank of England.

“Although banks tend to be more resourced and mature than other sectors in dealing with cyber threats, there are still a number of recognized gaps throughout the sector,” said an internal Public Safety note to prepare Goodale for the meeting.

It pointed out that the theft from Bangladesh’s central bank was carried out by breaching the Society for Worldwide Interbank Financial Telecommunications, or SWIFT, used to authorize payments between accounts.

“This is a clear example of where the system was vulnerable,” said the briefing note, obtained through the Access to Information Act.

The note also underscored the importance of identifying threats and improving the sharing of incident information.

In that vein, the independent, not-for-profit Canadian Cyber Threat Exchange aims to promptly share threat information between Canadian businesses and government agencies, as well as provide cyber threat analysis and advice for reducing risk.